My Mac is vulnerable, as this test shows:
x='() { :;}; echo VULNERABLE' bash -c :
(source)
I am using the version of bash that came with it. I also use Homebrew. What is the preferred way to patch Bash?
My Mac is vulnerable, as this test shows:
x='() { :;}; echo VULNERABLE' bash -c :
(source)
I am using the version of bash that came with it. I also use Homebrew. What is the preferred way to patch Bash?
First, you don't need to do this unless you are are offering web services to the public internet from your Mac. If you are not, wait until there is an official security update from Apple.
However, if you are offering web services, you might want to update.
Apple has released an Official Bash Security Update Here
To confirm that you are using an outdated bash:
$ which bash
/bin/bash
$ /bin/bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
The most current bash is 4.3.25
If you don't have Xcode installed, you'll need the Xcode command line tools, which can be installed by
$ xcode-select --install
Or from the developer portal https://developer.apple.com/downloads/index.action?=command%20line%20tools
download command_line_tools_for_osx_10.9_september_2014.dmg
To install Brew (http://brew.sh):
$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Then do:
$ brew doctor
Follow any instructions if there are problems. Many common problems are addressed at http://www.moncefbelyamani.com/how-to-install-xcode-homebrew-git-rvm-ruby-on-mac/#troubleshoot-homebrew
Then update brew to the latest list of packages:
$ brew update
To get the latest bash 4.3.25:
$ brew install bash
This installs bash into /usr/local/Cellar/bash/4.3.25/bin/bash
The old bash
and sh
still exists at /bin
, so after installing you'll rename the old executables to a new file.
$ sudo mv /bin/bash /bin/bash_old
$ sudo mv /bin/sh /bin/sh_old
If you are very paranoid, you can remove execute permissions on the bash_old
$ sudo chmod a-x /bin/bash_old /bin/sh_old
Then create a symbolic link to the new bash 4.3.25 that brew installed.
$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/bash
$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/sh
Reboot and it is complete.
A warning — this may break some existing shell scripts that might rely on bash 3.2 or the differences that the Mac sh
has over the linux sh
. There is a much more sophisticated answer to replacing bash and sh from sources at
https://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
In most cases it is best to wait for official updates.
-- Christopher Allen
Please check the version of bash in brew before you do below step:
$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/bash
$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/sh
The bash version is updated to 4.3.27 so far. if you still link 4.3.25 to /bin/bash, you Mac should not boot. if you have do that, you can boot to recovery mode and copy /bin/bash_old to /bin/bash and copy /bin/sh_old to /bin/sh.
My bash version in brew is 4.3.27, so this will work for me:
$ sudo ln -s /usr/local/Cellar/bash/4.3.27/bin/bash /bin/bash
$ sudo ln -s /usr/local/Cellar/bash/4.3.27/bin/bash /bin/sh
Not good, still vulnerable!
bash-4.3$ brew upgrade bash Error: bash-4.3.25 already installed
bash-4.3$ /usr/local/Cellar/bash/4.3.25/bin/bash bash-4.3$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test